Title Page
-
Service Provider Name
-
Conducted on
-
Prepared by
Annual Documents
-
InfoSec Annual Review - Provide your infosec framework (Please email or add in platform)
-
InfoSec Annual Testing - Provide your latest specialist external testing of infosec (Latest Pen Test, SOC2 or ISO27001 Certification - Please email or add in platform)
-
BCP Testing - Provide recent report regime for BCP (Please email or add in platform)
-
Business Impact Assessment (BIA) of critical business processes and critical systems - Please provide your latest BIA
-
DR Testing - Provide DR Report- full documented scope, success criteria and outcomes (Please email or add in platform)
-
Data Protection Policy - Provide you latest data protection policy
Outsourcing
-
Have you onboarded any outsource services in the last period (12 months)?
-
Please details of the services being outsourced
Information Security
-
Have you maintained an information security framework and complied with the relevant legislation?
-
Has your Information Security Controls Framework been reviewed in the last 12 months?
-
Have you become aware of a material weakness in any of your information security controls in the last year?
-
Please provide further details (material weakness information)
-
Have you complied with your Information Security Controls testing program?
-
If you became aware of a critical cyber security incident in the last period, have you complied with all legislative obligations?
-
Please provide further information about the nature of the incident
Business Resilience
-
Have you completed a Business Impact Assessment (BIA) of critical business processes and critical systems in the past 12 months?
-
Do you have a Business Continuity Plan (BCP) for each of the critical business processes determined in your BIA which includes a recovery strategy/plan?
-
Do you have an IT Service Continuity Management (ITSCM) Plan with recovery time and recovery point objectives to align with the BIA?
-
As part of your ITSCM plan, do you have a Disaster Recovery Plan (DRP) for each of the critical systems determined in your BIA?
-
Have all core operating systems used in providing services to us, been continuously available during core business hours during the last 12 months?
Fraud and Corruption
-
Have you reported any suspected or actual misconduct that did or could impact the service you provide us in the last 12 months?
Privacy
-
Have you taken all reasonable steps in the last 12 months to comply with all applicable privacy legislation?
-
Have there been any new processes/projects or changes to current processes that impact the handling and/or processing of personal information related to services you intend to provide SCC?
-
Please provide further information
-
Who is your designated privacy officer?
Data
-
Will our data be stored in NZ, Australia or India?
-
Will our data be accessed by Grappler from NZ, Australia and/or India?
-
Will any personal data be stored or processed in any country other than NZ, Australia or India?
Modern Slavery
-
Do you have policies and processes in place to assist with the identification and eradication of modern slavery in your supply chain network?
-
Have you taken all reasonable steps in the last 12 months to comply with all applicable modern slavery legislation?
-
Do you work or operate within a sector or country that has a heightened risk for modern slavery?
-
Please provide further information
-
Does your company employ migrant workers or other workers who may be vulnerbale to exploitation ?
-
Please provide further information
